Making strong authentication for PSD2 services customer-friendly

The Payment Service Directive 2 poses new challenges for the financial world of the EU. Amongst other things, banks must enable third-party providers to obtain account information for further processing. This requires the consent of the account holder by means of strong authentication.

The Payment Service Directive 2 (PSD2) requires banks in the EU to offer interfaces for accessing customer accounts. This enables third-party providers to offer new services across banks. By this "opening" of banks, the EU hopes to create incentives for more innovation and competition. With its Open Banking efforts, Switzerland is also aiming at opening up. Even if this "opening" is based on self-regulation, Switzerland will be facing the same challenges as the EU.

In order for third-party providers to use these interfaces, the consent of the account holder must be obtained. The Regulatory Technical Standard (RTS), which complements PSD2, forces the banks to strongly authenticate the customer for such consents. This means that authenticity is proven by means of two independent security features from the areas of knowledge (e.g. password), ownership (e.g. mobile phone) and inherence (e.g. fingerprint).

Challenges of third-party access

While the customer previously had to retrieve account information directly from his bank, this will also become possible via third parties. This poses new challenges for the parties involved, especially if the information is obtained from several banks in parallel.

Let's say a customer wants to manage the account information of his three bank accounts through a third-party account information service. In that case, each of the three banks would have to obtain the customer's consent by means of strong authentication. As the various banks have a variety of strong authentication mechanisms in place today, obtaining consent could be cumbersome due to the many different methods (PhotoTAN, mTAN, SecureID, etc.).

Such an approach is incomprehensible and probably unacceptable for most customers. It can therefore be assumed that the effort to achieve a harmonization / standardization in the means of authentication will increase with PSD2.

Standards contribute to simplification

The use of standards and smartphones as security tokens may lead to a simplification. FIDO (Fast Identity Online), a standard based on public-key encryption, could help here. The server side, in this case the bank, knows the public key of the customer. The customer's key pair is generated on his smartphone in a secure area, with the private key never leaving this area. Access to the private key is protected by the authenticator. To use the private key, the authenticator requires a knowledge or inherence feature. In combination with the ownership of the device, the requirements of the RTS would thus be fulfilled.

How would this look in the scenario described? If the three banks involved supported FIDO, the customer could simply confirm each consent by means of a fingerprint.

PSD2 and Open Banking provide new opportunities for bank customers. User-friendly mechanisms for strong authentication can promote innovation in this area. Thanks to the broad native support of the device manufacturer industry, FIDO will play a decisive role here.

This article was published in Netzwoche No.12 on 4 July 2018 under Focus Fintech.